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Abstract. AC-completion efficiently liandles equality modulo associative and commuta- 
tive function symbols. When the input is ground, the procedure terminates and provides a 
decision algorithm for the word problem. In this paper, we present a modular extension of 
ground AC-completion for deciding formulas in the combination of the theory of equality 
with user-defined AC symbols, uninterpreted symbols and an arbitrary signature disjoint 
Shostak theory X. Our algorithm, called AC(X), is obtained by augmenting in a modular 
way ground AC-completion with the canonizer and solver present for the theory X. This 
integration rests on canonized rewriting, a new relation reminiscent to normalized rewrit- 
ing, which integrates canonizers in rewriting steps. AC(X) is proved sound, complete and 
terminating, and is implemented to extend the core of the Alt-Ergo theorem prover. 



1. Introduction 

The mechanization of mathematical proofs is a research domain that receives an increasing 
interest among mathematicians and computer scientists. In particular, automated theorem 
provers (ATP) are now used in several contexts {e.g. proof of programs, interactive provers) 
to prove "simple" but overwhelming intermediate results. While more and more efficient, 
ATP have difficulties to handle some mathematical operators, such as union and intersection 
of sets, which satisfy the following associativity and commutativity (AC) axioms 

\/x.\/y.\/z. u{x,u{y, z)) = u{u{x,y),z) (A) 
\/xMy.u{x,y) = u{y,x) (C) 

Indeed, the mere addition of AC axioms to a prover will usually glut it with plenty of useless 
equalities which will strongly impact its performance^ In order to avoid this drawback, 
built-in procedures have been designed to efficiently handle AC symbols. For instance, 
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SMT-solvers incorporate dedicated decision procedures for some specific AC symbols such 
as arithmetic or boolean operators. On the contrary, algorithms found in resolution-based 
provers such as AC-completion allow a powerful generic treatment of user-defined AC sym- 
bols. 

Given a finite word problem Aig/ Si = ti \- s = t where the function symbols are either 
uninterpreted or AC, AC-completion attempts to transform the conjunction Aie/ ^« — 
into a finitely terminating, confluent term rewriting system R whose reductions preserve 
identity. The rewriting system R serves as a decision procedure for validating s = t modulo 
AC: the equation holds if and only if the normal forms of s and t w.r.t R are equal modulo 
AC. Furthermore, when its input contains only ground equations, AC-completion terminates 
and outputs a convergent rewriting system [ Mar91) . 

Unfortunately, AC reasoning is only a part of the automated deduction problem, and 
what we really need is to decide formulas combining AC symbols and other theories. For 
instance, in practice, we are interested in deciding finite ground word problems which con- 
tain a mixture of uninterpreted, interpreted and AC function symbols, as in the following 
assertion 

u{a, C2 — ci) = a A u(ei, 62) — f{b) = u{d, d) A 

h a = ti(a, 0), 

d = ci + l A 62 = 6 A u{b, ei) = /(e2) A C2 = 2 * ci + 1 

where u is an AC symbol, -|-, — , * and the numerals are from the theory of linear arithmetic, 
/ is an uninterpreted function symbol and the other symbols are uninterpreted constants. 
A combination of AC reasoning with linear arithmetic and the free theory £ of equality is 
necessary to prove this formula. Linear arithmetic is used to show that C2 — ci = ci -\- 1 
so that (i) n(a, ci + 1) = a follows by congruence. Independently, 62 = b and d = ci + 1 
imply (ii) n(ci -|- l,ci -|- 1) = by congruence, linear arithmetic and commutativity of u. 
AC reasoning can finally be used to conclude that {i) and (ii) imply that u{a, ci -|- 1, ci + 1) 
is equal to both a and u{a,0). 

There are two main methods for combining decision procedures for disjoint theories. 
First, the Nelson-Oppen approach [N079j is based on a variable abstraction mechanism and 
the exchange of equalities between shared variables. Second, the Shostak's algorithm |Sho84] 
extends a congruence closure procedure with theories equipped with canonizers and solvers, 
i.e. procedures that compute canonical forms of terms and solve equations, respectively. 
While ground AC-completion can be easily combined with other decision procedures by the 
Nelson-Oppen method, it cannot be directly integrated in the Shostak's framework since it 
actually does not provide a solver for the AC theory. 

In this paper, we investigate the integration of Shostak theories in ground AC-completion. 
We first introduce a new notion of rewriting called canonized rewriting which adapts nor- 
malized rewriting to cope with canonization. Then, we present a modular extension of 
ground AC-completion for deciding formulas in the combination of the theory of equality 
with user-defined AC symbols, uninterpreted symbols and an arbitrary signature disjoint 
Shostak theory X. The main ideas of our integration are to substitute standard rewriting 
by canonized rewriting, using a global canonizer for AC and X, and to replace the equation 
orientation mechanism found in ground AC-completion with the solver for X. 

AC-completion has been studied for a long time in the rewriting community |LB771 
IPS81] . A generic framework for combining completion with a generic built-in equational 
theory E has been proposed in [JK86j . Normalized completion [ Mar96j is designed to use a 
modified rewriting relation when the theory E is equivalent to the union of the AC theory 
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and a convergent rewriting system S. In this setting, rewriting steps are only performed on 
5-normalized terms. AC(X) can be seen as an adaptation of ground normalized completion 
to efficiently handle the theory E when it is equivalent to the union of the AC theory and 
a Shostak theory X. In particular, 5-normalization is replaced by the application of the 
canonizer of X. This modular integration of X allows us to reuse proof techniques of ground 
AC-completion |Mar91] to show the correctness of AC(X). 

Tiwari |Tiw09) efficiently combined equality and AC reasoning in the Nelson-Oppen 
framework. Kapur |Kap97j used ground completion to demystify Shostak's congruence 
closure algorithm and Bachmair et al. |BTV03j compared its strategy with other ones into 
an abstract congruence closure framework. While the latter approach can also handle AC 
symbols, none of these works formalized the integration of Shostak theories into (AC) ground 
completion. 

Outline. Section [2] recalls standard ground AC completion. Section [3] is devoted to 
Shostak theories and global canonization. Section [J] presents the AC(X) algorithm and il- 
lustrates its use through an example. The correctness of AC(X) is detailed in Section \5\ 
In Section [6l we show that a simple preprocessing step allows us to use a partial multiset 
ordering instead of a full AC-compatible reduction ordering. Experimental results are pre- 
sented in Section [71 Using a simple example, we illustrate in Section [8] how the instantiation 
mechanism of Alt-Ergo has to be extended modulo AC in order to fully integrate AC(X) 
as a core decision procedure for our SMT solver. Conclusion and future works are presented 
in Section [H 

2. Ground AC-Completion 

In this section, we first briefly recall the usual notations and definitions of [BN981 IDJ90] 
for term rewriting modulo AC. Then, we give the usual set of inference rules for ground 
AC-completion procedure and we illustrate its use through an example. 

Terms are built from a signature S = Ti^c W '^s of AC and uninterpreted symbols, and 
a set of variables X yielding the term algebra Te{X). The range of letters a . . . f denotes 
uninterpreted symbols, u denotes an AC function symbol, s, t, I, r denote terms, and x, y, 
z denote variables. Viewing terms as trees, subterms within a term s are identifled by their 
positions. Given a position p, s\p denotes the subterm of s at position p, and s[r]p the term 
obtained by replacement of s\p by the term r. We will also use the notation s{p) to denote 
the symbol at position p in the tree, and the root position is denoted by A. Given a subset 
E' of S, a subterm t|p of t is a S'-alien of t if t{p) S' and p is minimal w.r.t the prefix 
word ordering. We write As'^t) the multiset of S'-aliens of t. 

A substitution is a partial mapping from variables to terms. Substitutions are extended 
to a total mapping from terms to terms in the usual way. We write ta for the application of 
a substitution a to a term t. A well-founded quasi-ordering [Der82] on terms is a reduction 
quasi-ordering if s ^ t implies sa ^ ta and l[s]p ^ l[t]p, for any substitution a, term I and 
position p. A quasi-ordering ^ defines an equivalence relation ~ as ^ H ^ and a partial 
ordering ^ as ^ Pi jf. 

An equation is an unordered pair of terms, written s ~ t. The variables contained in 
an equation, if any, are understood as being universally quantified. Given a set of equations 
E, the equational theory of E, written =e, is the set of equations that can be obtained by 



'Notice that according to this definition, a variable may be a E'-alien. 
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reflexivity, symmetry, transitivity, congruence and instances of equations in The word 
problem for E consists in determining if, given two ground terms s and t, the equation s ~ t 
is in =E, denoted by s =e t. The word problem for E is ground when E contains only 
ground equations. An equational theory =£; is said to be inconsistent when s =e t, for any 
s and t. 

A rewriting rule is an oriented equation, usually denoted by / ^ r. A term s rewrites to 
a term t at position p by the rule I — > r, denoted by s ^f_^^ t, iff there exists a substitution 
a such that s\p = la and t = s[ra]p. A rewriting system is a set of rules. We write 
s -^R t whenever there exists a rule I —?■ r of R such that s rewrites to t by Z — > r at some 
position. A normal form of a term s w.r.t to is a term t such that s — t and t cannot be 
rewritten by R. The system R is said to be convergent whenever any term s has a unique 
normal form, denoted s^i?, and does not admit any infinite reduction. Completion [KB70] 
aims at converting a set E of equations into a convergent rewriting system R such that the 
sets =E and {s f« t | sj,/j= tin} coincide. Given a suitable reduction ordering on terms, it 
has been proved that completion terminates when E is ground ^Lan75j . 

Rewriting modulo AC. Let =ac be the equational theory obtained from the set: 
AC = IJ {u{x,y) ^ u{y,x), u{x,u{y,z)) ^ u{u{x,y),z)}. 

In general, given a set E of equations, it has been shown that no suitable reduction ordering 
allows completion to produce a convergent rewriting system for EL) AC. When E is ground, 
an alternative consists in in-lining AC reasoning both in the notion of rewriting step and 
in the completion procedure. 

Rewriting modulo AC is directly related to the notion of matching modulo AC as 
shown by the following example. Given a rule u{a, u{b, c))) — > t, we would like the following 
reductions to be possible: 

(1) f{u{c,uib,a)),d)^ f{t,d), 

(2) u{a,u{c,u{d,b))) -^u{t,d). 

Associativity and commutativity of u are needed in (1) for the subterm u(c, u{b, a)) to match 
the term u{a, u{b, c)), and in (2) for the term u{a, u{c, u{d, b))) to be seen as u{u{a, u{b, c)), d), 
so that the rule can be applied. More formally, this leads to the following definition. 

Definition 2.1 (Ground rewriting modulo AC). A term s rewrites to a term t modulo AC 
at position p by the rule I — )• r, denoted by s t, iff one of the following conditions 

holds: 

(1) s\p =AC I and t = s[r]p, 

(2) /(A) = u and there exists a term s' such that s\p =ac ^^(^ s') and t = s[u{r, s')]p. 

In order to produce a convergent rewriting system, ground AC-completion requires a 
well-founded reduction quasi-ordering ^ total on ground terms with an underlying equiv- 
alence relation which coincides with =ac- Such an ordering will be called a total ground 
AC-reduction ordering. 

The inference rules for ground AC-completion are given in Figure [H The rules describe 
the evolution of the state of a procedure, represented as a configuration { E \ R ), where 
E is a set of ground equations and R a ground set of rewriting rules. The initial state is 



The equational theory of the free theory of equaUty £, defined by the empty set of equations, is simply 
denoted =. 
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( E'o I ) where Eq is a given set of ground equations. Trivial removes an equation u ~ f 
from E when u and v are equal modulo AC. Orient turns an equation into a rewriting rule 
according to a given total ground AC-reduction ordering ^. i? is used to rewrite either 
side of an equation (Simplify), and to reduce right hand side of rewriting rules (Compose). 
Given a rule I — )• r, Collapse either reduces I at an inner position, or replaces / by a term 
smaller than r. In both cases, the reduction of / to /' may influence the orientation of the 
rule /' — > r which is added to E as an equation in order to be re-oriented. Finally, Deduce 
adds equational consequences of rewriting rules to E. For instance, if R contains two rules 
of the form u{a,b) — )• s and u{a,c) — )• t, then the term u{a,u{b,c)) can either be reduced 
to u{s,c) or to the term u{t,b). The equation u(s,c) « u(t,b), called critical pair, is thus 
necessary for ensuring convergence of R. Critical pairs of a set of rules are computed by 
the following function (a^ stands for the maximal term w.r.t. size enjoying the assertion): 

I r e R, I' r' e R 
3a^': l=^cu{a'',b) A 14(0^^, 6') 



headCP(i?) = <^ u{b,r') u{b',', 



TriviAL 



OriENT 



EU{s^t} \ R) 



{E\R) 


s 


{EU{s^t} 1 




{E \ RU{s-^ 


t}) 


{EU{s^t} 


\R) 


{EU{s' ^t} 


\R) 


^ {E\ RU{1- 


>r}) 



E \ RU{1 ^r'}) 



S ^AC\R s' 



ColLAPSE I R^{g^d,l^r}) ( I ^Ac\g^a I' 

o LAPSE ^^y|^/^^||^Lj{c/^(i}) \ g<l V {gc±lhd<r) 
{E\ R) 

DeduCE — s « i e headCP(i?) 

{ EU{s^t} \ R) ^ ' 



Figure 1: Inference rules for ground AC-completion. 



Example. To get a flavor of ground AC-completion, consider a modified version of the 
assertion given in the introduction, where the arithmetic part has been removed (and un- 
interpreted constant symbols renamed for the sake of simplicity) 

n(ai, 04) ai, u(a3, ae) « n(a5, 05), 05 f« 04, ae « 02 h ai f« u{ai,u{ae, as)). 

The precedence ai ~<p ■ ■ ■ ~<p ag ~<p u defines an AC-RPO ordering on terms |NR93| which 
is suitable for ground AC-completion. The table in Figure [2] shows the application steps of 
the rules given in Figure [T] from an initial configuration 

({^(01,04) ^ ai,u{a3,aQ) ^ u{az,a^),a^ k. 04,05 ~ 02} | 0) 

to a final configuration (0 | Rf), where Rj is the set of rewriting rules {1,3,5,7,10}. It 
can be checked that aii_R, and n(ai, ?x(o6, as))!^, are identical. 
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1 


u(ai, — )• ai 


Ori ti(ai, 04) ai 


2 


ii(a3, ae) u{a^,a^) 


Ori it(a3,a6) ~ ^(05, 05) 


3 


a5 a4 


Ori as « 04 


4 


u{a^,aQ) u{ai,ai) 


Com 2 and 3 


5 


ae a2 


Ori ag ~ 02 


6 


^(03,02) « it(a4,a4) 


Col 4 and 5 


7 


u(a4,a4) u(a3,a2) 


Ori 6 


8 


^(ai, 04) « w(ai, n(a3, 02)) 


Ded from 1 and 7 


9 


ai n(ai,M(a3,a2)) 


Sim 8 by 1 


10 


u(ai,u(a3,a2)) ^ ai 


Ori 9 



Figure 2: Ground AC-completion example. 



3. Shostak Theories and Global Canonization 

In this section, we recall the notions of canonizers and solvers underlying Shostak theories 
and show how to obtain a global canonizer for the combination of the theories £ and AC 
with an arbitrary signature disjoint Shostak theory X. 

From now on, we assume given a theory X with a signature Sx. A canonizer for X 
is a function canx that computes a unique normal form for every term such that s =x 
t iff canx(s) = canx(t). A solver for X is a function solvex that solves equations between 
Sx-terms. Given an equation s ~ t, solve x(s ~ t) either returns a special value _L when 
s ~ tUX is inconsistent, or an equivalent substitution. A Shostak theory X is a theory with 
a canonizer and a solver which fulfill some standard properties given for instance in |KC05j . 

Our combination technique is based on the integration of a Shostak theory X in ground 
AC-completion. From now on, we assume that terms are built from a signature S defined 
as the union of the disjoint signatures Tjac-, and Sx- We also assume a total ground 
AC-reduction ordering ^ defined on Ty.{X) used later on for completion. The combination 
mechanism requires defining both a global canonizer for the union of AC and X, and 
a wrapper of solvex to handle heterogeneous equations. These definitions make use of a 
global one-to-one mapping a : 7s — )• <Y (and its inverse mapping p) and are based on a 
variable abstraction mechanism which computes the pure Sx-part [t| of a heterogeneous 
term t as follows: 




when t = f{s) and / G Ex, 
otherwise. 



The canonizer for AC defined in [Hul79) is based on flattening and sorting techniques which 
simulate associativity and commutativity, respectively. For instance, the term u{u{u'{c, b),b), c) 
is first fiattened to u{u' (c,6),6,c) and ihen sortecfl to get the term u{b,c,u'{c,b)). It has 
been formally proved that this canonizer solves the word problem for AC |Con04| . However, 



For instance, using the AC-RPO ordering based on the precedence b -<p c -<p u . 
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this definition implies a modification of the signature T^ac where arity of AC symbols be- 
comes variadic. Using such canonizer would impact the definition of AC-rewriting given in 
Section [2j In order to avoid such modification we shall define an equivalent canonizer that 
builds degenerate trees instead of flattened terms. For instance, we would expect the normal 
form of u{u{u'{c, b), b), c) to be u{b, u{c, u'{c, b))). Given a signature S which contains T,ac 
and any total ordering < on terms, we define can^c" by: 

can/ic'(j;) = x when x X, 

ca.iLAcifiv)) = f{caiiAc{v)) when / ^ T,ac, 

CaiLAc{u{ti,t2)) = U{SI,U{S2, . . . ,u(Sn-l,Sn) ■ ■ ■)) 

where t'^ = caiiAc{ti) for i € [1, 2] 

and |;si, . . . , = A{u}it[) U ^{^(ta) 

and Si < Sj+i for i £ [1, n — 1], when u G Sac- 

We can easily show that can^c" enjoys the standard properties required for a canonizer. 
The proof that canyic" solves the word problem for AC follows directly from the one given 
in |(]onn4j . 

Using the technique described in |KC05j . we define our global canonizer can which 
combines canx with canAc as follows: 

can(j;) = x when x (z X, 

can(/(v)) = /(can(iT)) when / G Sf, 

can(u(s,t)) = can^c'(u(can(s), can(t))) when u G Sac i 
can(/x(u)) = canx(/x(Ican(t7)]))p when G Hx- 

Again, the proofs that can solves the word problem for the union £, AC and X and enjoys 
the standard properties required for a canonizer are similar to those given in |KC05j . The 
only difference is that canAc directly works on the signature S, which avoids the use of 
a variable abstraction step when canonizing a mixed term of the form u{ti,t2) such that 
u G Sac- 

Using the same mappings a, p and the abstraction function, the wrapper solve can be 
easily defined by: 

± ifsolvex(Wp.M) = ±, 

{ Xip Up } if solvex([.sl « lt\) = {xi'^ti}. 

In order to ensure termination of AC(X), the global canonizer and the wrapper must be 
compatible with the ordering < used by AC-completion, that is: 



solve(s ~ t) 



Lemma 3.1. 

(1) yt^TT., can(t) < t, 

(2) Vs, t G 7i], if solve(s t) = \J{pi Vi} then Vi -< pi. 

We can prove that the above properties hold when the theory X enjoys the following 
local compatibility properties: 

Axiom 3.2. 

(1) Vt G Ts, canx(Itl) ^ {tj, 

(2) \/s,t G 7s, i/solvex([sl ^ {t}) = \J{xi ^ U} then tip < Xip. 
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To fulfill this axiom, AC-reduction ordering can be chosen as an AC-RPO order- 
ing |NR93j based on a precedence relation ■<p such that Sx <p S^- U T^ac- From now 
on, we assume that X is locally compatible with 

Example. To solve the equation n(a, 6) + a ~ 0, we use the abstraction 

a = {u{a, h) ^ X, a ^ y} 

and call solve x on x + y ~ 0. Since a -< u{a, b), the only solution which fulfills the axiom 
above is {x ?a —y}- We apply p and get the set {u{a, b) — )• —a} of rewriting rules. 

4. Ground AC-Completion Modulo X 

In this section, we present the AC(X) algorithm which extends the ground AC-completion 
procedure given in Section [2j For that purpose, we first adapt the notion of ground AC- 
rewriting to cope with canonizers. Then, we show how to refine the inference rules given in 
Figure [1] to reason modulo the equational theory induced by a set E of ground equations 
and the theories £, AC and X. 

4.1. Canonized Rewriting. From the rewriting point of view, a canonizer behaves like a 
convergent rewriting system: it gives an effective way of computing normal forms. Thus, a 
natural way for integrating can in ground AC-completion is to extend normalized rewrit- 
ing |Mar96j . 

Definition 4.1. Let can be a canonizer. A term s can-rewrites to a term t at position p 
by the rule I ^ r, denoted by s -^f_^^ t, iff 

s -^'^AC\l^r ^' ^^"^ can(i') = t. 

Example. Using the usual canonizer can_4 for linear arithmetic and the rule 7 : n(a, b) — > a, 
the term /(a + 2 * u{b, a)) can_4-rewrites to /(3 * a) by as follows: 

/(a + 2 * n(6, a)) -^AC\y /('^ + 2 * a) and can_4(/(a + 2* a)) = f{3 * a). 
Lemma 4.2. V s, s -^i^r t =^ s =AC,x,i^r t- HH 

4.2. The AC(X) Algorithm. The first step of our combination technique consists in re- 
placing the rewriting relation found in completion by canonized rewriting. This leads to the 
rules of AC(X) given in Figure El The state of the procedure is a pair { E \ R) oi equations 
and rewriting rules. The initial configuration is ( -Eq I ) where Eq is supposed to be a set of 
equations between canonized terms. Since AC(X)'s rules only involve canonized rewriting, 
the algorithm maintains the invariant that terms occurring in E and R are in canonical 
forms. Trivial thus removes an equation u ~ w from E when u and v are syntactically 
equal. A new rule Bottom is used to detect inconsistent equations. Similarly to normalized 
completion, integrating the global canonizer can in rewriting is not enough to fully extend 
ground AC-completion with the theory X: in both cases the orientation mechanism has to 
be adapted . Therefore, the second step consists in integrating the wrapper solve in the 
Orient rule. The other rules are much similar to those of ground AC-completion except 
that they use the relation instead of —^ac\r- 
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{EU{sf^t}\R) {EU{s^t} \ R) 

TriviAL ■ ; ^ s ^ t BotTOM solve(s,t) = . 

{E\ R) ± ^ ' ' 

{EU{s^t} \ R) 

OriENT ; — solve(s,t) 7^ ± 

{ E I RUsolve{s,t) ) ^ ' ^ ^ 

{EU{s^t}\R) {E\RU{l-^r}) 
SimPLiFY — ; — s ~^_R sComPOSE ; r—— r -^R r' 

{EU{s' ^t} \ R) {E\RU{l^r'}) 



CoIlapse 



E\R\j{g^dJ^r}) \ l^g^^l' 



{ ELI{1' Kr} \ RU{g ^ d} ) \ g-<?V(g~/Ad-^r) 



{E R) 

DeduCE ■ f- s^t e headCP(i?) 

{ EU{s ^t} \ R) ^ ^ 



Figure 3: Inference rules for ground AC-completion modulo X. 



Example. We illustrate AC(X) on the example given in the introduction: 

u{a,C2 - ci) ^ a A u{ei,e2) - f{b) ^ u{d,d) A \_ ^ ( n\ 

d « ci + 1 A 62 ~ 6 A u{b, ei) ^ /(ea) Ac2«2*ci + 1 

The table given in Figure H] shows the application of the rules of AC(X) on the example 
when X is instantiated by linear arithmetic. We use an AC-RPO ordering based on the 
precedence 1 2 a b c\ -<p C2 -<p d -<p e\ -<p 62 -<p f -<p u. The procedure 
terminates and produces a convergent rewriting system Rj = {3, 5, 9, 10, 11, 13, 16}. Using 
Rf, we can check that a and u{a,0) can-rewrite to the same normal form. 



5. Correctness 

In this section, we give detailed proofs for the correctness of AC(X). This property is 
stated by the theorem below and its proof is based on three intermediate theorems, stating 
respectively soundness, completeness and termination. 

As usual, in order to enforce correctness, we cannot use any (unfair) strategy. We say 
that a strategy is strongly fair when no possible application of an inference rule is infinitely 
delayed and Orient is only applied over fully reduced terms. 

Theorem 5.1. Given a set E of ground equations, the application of the rules of ACQ^) 
under a strongly fair strategy terminates and either produces _L when E U AC U X is incon- 
sistent, or yields a final configuration { (J) \ R ) such that: 

Vs,t G Ts. s =E,Ac,x t ^ can(s)|^ = can(t)|^. 

In the following, we shall consider a fixed run of the completion procedure 

{Eo\iI))^{Ei\Ri)^...^{En\Rn)^{ En+l \ R n+1 ) ^ • • • 

starting from the initial configuration ( E'o | ). We denote Rqo (resp. Eoo) the set of all 
encountered rules Rn (resp. equations En) and TZ^^ (resp. E^) the set of persistent 
rules \Jn^\^>n^^ (^sp. equations [jnr\i>nEi)- 
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1 


u{a, C2 — ci) — > a 


Ori u{a, C2 — ci) Ri a 


2 


u(ei, 62) — > u(d, d) + f(b) 


Ori ufei, Co) — fib) « iifd, d) 


3 


d ci + 1 


Ori d Ri ci + 1 


4 


ttfei, 62) ^ u(ci + 1, ci + 1) + fih) 


Com 2 and 3 


5 


62 b 


Ori 62 ~ 6 


6 


ei) « n(ci + 1, ci + 1) + 


Col 4 and 5 


7 


u{b, ei) ^ u(ci + 1, ci + 1) + 


Oriu(6,ei) Ri «(ci + 1, ci + 1) + 


8 


u{ci + l,ci + l) + f{b)^f{b) 


Sim tt(6, ei) R^ f(e2) by 5 and 7 


9 


u(ci + l,ci + 1) ^ 


Ori u(ci + 1, ci + 1) + ^ f{b) 


10 


u(b,ei) ^f(b) 


Com 7 and 9 


11 


C2 — >■ 2 * ci + 1 


Ori C2 ~ 2 * ci + 1 


12 


u{a, ci + 1) ^ a 


Col 1 and 11 


13 


u(a, ci + 1) — >■ a 


Ori u{a, ci + 1) Ri a 


14 


u{Q, a) u{a, ci + 1) 


Ded from 9 and 13 


15 


■u(0, a) a 


Sim 14 by 13 


16 


u(0, a) a 


Ori 15 



Figure 4: AC(X) on the running example. 



The strongly fair strategy requirement implies in particular that headCP {Ru;) C E^, 
= and R^^j is inter-rcduccd, that is none of its rules can be collapsed or composed by 

another one. Due to the assumptions made over canx and the following valid properties 

will be continuously used in the proofs: 

Vt. caii(t) < t, 

Vs, t. s ~ t <^=^ s =AC ^1 
Vs, t. s -^R^ t =^ t -< s. 

5.1. Soundness. The soundness property of AC(X) is ensured by the following invariant: 

Theorem 5.2. For any configuration { En \ Rn ) reachable from { Eq \ ^ ), 

V s, t, (s, t) G £'„ U Rn =^ s =AC,X,Eq t. 

Proof. The invariant obviously holds for the initial configuration and is preserved by all 
the inference rules. The rules Simplify, Compose, Collapse and Deduce preserve the 
invariant since for any rule / ^ r, if ^ =AC,x,Eo for term s rewritten by -^i^r into t, 
then s =AC,X,E() t. If Orient is used to turn an equation s ~ t into a set of rules {pi Vi}, 
by definition of solve, pi = Xip and Vi = tip, where solvex([sl ~ [i]) = {xi ^ U} . 
By soundness of solvex Xi =x,[s]«p] ti. An equational proof of Xi =x,|s]Ri|t] U can be 
instantiated by p, yielding an equational proof =x,sRit Vi- Since by induction s =ac,x,Eo t 
holds, we get pi =ac,x,Eo Vi. □ 
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5.2. Completeness. Completeness is established in several steps using a variant of the 
technique introduced by Bachmair et al. in [BDH86j for proving completeness of completion. 
This technique transforms a proof between two terms which is not under a suitable form 
into a smaller one, and the smallest proofs are the desired ones. 

The proofs we are considering are made of elementary steps, either equational steps, 
with AC, X and E^o, or rewriting steps, with and the additional (possibly infinite) rules 

RcaiL = {t ^ can(t) I can(t) ^ t}. 

Rewriting steps with i?oo can be either -^r^ or — Jl. 

The measure of a proof is the multiset of the elementary measures of its elementary 
steps. The measure of an elementary step is a 5-tuple of type 

multiset(7i](A:')) x N x N x Tt.(X) x Tt.{X). 
It takes into account the number of terms which are in a canonical form in an elementary 
proof: the canonical weight of a term t, tUcan(i) is equal to if can(t) =ac t and to 1 
otherwise. Notice that if li'caii(i) = !> then can(t) -< t, and if i^canl^) = 0, then can(t) ~ t. 
The measure of an elementary step between ti and t2 is defined as follows: 

• When performed thanks to an equation, it is equal to {^ti,t2^, _, _, _, _). 

• When performed thanks to a rule I ^ r ^ Roo, it is equal to 

iih}, 1, Wcan{ti) + ■Wcanit2), I, r) if tl -^l^r ^2 Or ti -^i^r ^2, 

and to 

{it2l, 1, 1«caii(il) + Wcsii{t2), I, r) if ti ^r^lt2 OV ti ^r^l ^2- 

In the case of a step, the measure is actually (-S^tjl, 1, Wcaii{ti), I, r) since the reduct is 
always in a canonical form. 

• When performed thanks to a rule of i?can is equal to 

5 ^can 

and to 

{it2},0,Wcan{h) + ^i'can(^2) , ^2 , ^1 ) if *1 ^fican *2- 

Elementary steps are compared lexicographically using the multiset extension of ^ for the 
first component, the usual ordering over natural numbers for the components 2 and 3, and 
^ for last ones. Since ^ is an AC-reduction ordering, the ordering defined over proofs is 
well-founded. 

The general methodology is to show that a proof which contains some unwanted ele- 
mentary steps can be replaced by a proof with a strictly smaller measure. Since the ordering 
over measures is well-founded, there exists a minimal proof, and such a minimal proof is of 
the desired form. 

Lemma 5.3. A proof containing an elementary step < — >s^t, where s ~ t € AC U X is 
not minimal. 

Proof. An elementary equational step using an equation s ~ t of AC U X under the context 
C[_]p can be reduced: the subproof 

C[s]p^C[t]p 

^Here,s — t actually means s — >AC\Rao a-nd t = caiiAc(i')- 
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is replaced by 



C[s]p can(C[s]p) = can(C[t]p) C[t]p. 



The measure strictly decreases, since for the first subproof it is equal to 

Uic[s]p,c[tu,. ,.,.,.)}, 

and for the second one, it is equal to 

u{{c[su, -, -, -)^'''\ {{{cm, 

The rewrite steps -^^^^ only occur on a term which is not AC-equal to a canonical form 
(which is denoted by the {0, 1} exponent). The corresponding elementary measure occurs 
in the global measure of the second subproof accordingly. □ 

Lemma 5.4. A proof containing an elementary step < — >sK^t, where s ^ t E is not 
minimal. 

Proof. An elementary cquational step using an equation s ~ t of E^q under the context C[_]p 
can be reduced. Since E^^ is empty, there is a completion state where s ^ t disappears, 
either by Simplify or Orient. 

• If Simplify is used to reduce s into s' by the rule Z — > r of i?oo) the subproof 

C[s\p^C[t]p 

SKit 

is replaced by 

C[s]p-^C[s']p^^C[t]p. 
The measure strictly decreases, since for the first subproof it is equal to 

^(^c[.]p,c[tu, _,_,_,_)}, 

and for the second one, it is equal to 

mc[s]p^, _, _, _), {ic[s']p, c[t]pi, _, _):^, 

and s >- s'. 

• If the rule Orient turns s ^ t into a set of rules vr = {pi Vi}, by definition of solve 
we have solve x(|s] ~ {tj) = {xi ~ ij} (denoted as a) with pi = Xip and Vi = tip. Since 
solve X is complete, \s\a =x \t\a. Consider a variable x of [s] or 

- if X G {xi} then xpn = piir = Vi and xap = tip = Vi. 

- if X ^ {xi} then xpvr = xp (since xp ^ {pi]) and xap = xp (since xa = x). 

In all cases, xpir = xap. The equational step using s p^t can be recovered as a compound 
step using tt and i?can as follows: 

C[s]p = CMp\p^ 

TT 

C[Hp7r]p = C[ls\ap]p^ ^C[lt\ap]p = C[Mpvr]p 



-c[Mp]p = c[t 



The set of rules tt belongs to Roo , and the measure of the new subproof is a multiset con- 
taining only elements of the form (§C[si]p|, _, _, _, _), where Sj is a reduct of a subterm s or 
t by an arbitrary number of steps of R^c and i?caii- In any case, C[,Si]p§ -< ^C[.s]p, C[t]pJ. 
The new subproof is strictly smaller than the measure of the original subproof. □ 
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Lemma 5.5. A proof containing an elementary rewriting step truly of the form — >r^ or 
i — is not minimal. 

Proof. Here, each elementary step s — Yr^ t is already a -^r^ step if t = caxLAc{t) is in a 
canonical form w.r.t can, or it can be replaced by 

s can(t) i — t. 
The measure of the first subproof is equal to 

iiis}, 1, Wc^{s) + Woen{t),-, -)}, 

and the measure of the second one is equal to 

Uis},l,w,^{s),.,.),iit} A -,-,-)}, 

with t ^ s. Since Wcanit) = 1, the measure strictly decreases. 

The case s < — r^ t is symmetrical. □ 

Lemma 5.6. A proof containing an elementary rewriting step of the form ^i-^r or ^r^h 

where I ^ r ^ \ R^^ is not minimal. 

Proof. An elementary step using a rule I ^ r of R^o \ Rui can be reduced. The rule I — )• r 
disappears either by Compose or by Collapse. 

• If Compose reduces r to r' = can(r[d]) by the rule g ^ d of i?oo) the subproof 



C[l]p ^ can(C[r]p) 

l—^r 



can be replaced by 



C[l]p ^ can(C[r']p) = can(C[r[d]]p) ^ C[r]p. 

(— 5-r' d-i—g 

The identity can(C[r']p) = can(C[r[d]]p) holds C[r']p and C[r[(i]]p are equal modulo -Rcan, 
that is AC U X, and such terms have the same canonical forms. The measure strictly 
decreases, since for the first subproof it is equal to 

i{iC[l]p},l,w,^{C[l]p),l,r)}, 

and for the second one, it is equal to 

UmU, 1, ^can(C[/]p), I, /)), (|[C[r],|, 0, _, _, .)}, 

with r' <r <l. 

If Collapse reduces I io V = can(^[(i]) by the rule g ^ dm. R^o, the subproof 

C[l]p ^ can(C[r]p) 

is replaced by 

C[l]p - can(C[/[d]]p) = can(C[Z%)^C[Z%4^C[r]p-^can(C[ry. 
The measure strictly decreases, since for the first subproof it is equal to 

) f^can 

and for the second one, it is equal to 

UiC[l]p},l,w,^iC[l]p),g,d), 

mi%h -), mi']pC[r]A, -), mr]ph -), i- 
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The last three elements of the second multiset are strictly smaller than the element of the 
first multiset, since I' -< I and r <l. The first element of the second multiset is strictly 
smaller than the element of the first multiset, since either g ~< I, and the fourth component 
decreases, or 5 ~ i and d -< g. In this case, V = d -< r. The first four components are 
identical, and the last one decreases. 
The case <^ is symmetrical. □ 

Lemma 5.7. A proof containing a peak s -(—r^^ t -^r^^ s' is not minimal. 

Proof. All the terms s,t and s' involved in the peak are equal modulo AC and X, hence 
caii(s) = can(s'). The subproof 

is replaced by 

s can(s) = can(sO s'. 

The measure strictly decreases, since for the first subproof it is equal to 

l{{t},0,Wcan{t) +U;can(s),-,-), {itJ,0,Wcsn{t)+Wcan{s'),-, -)}, 

and for the second one, it is equal to 

Ms}, 0, w,^{s), _, _){°'i>, iis'}, 0, w,^is), _, _){°'i>:^. 

s and s' are smaller than or equivalent to t {s, s' < t), and the second component strictly 
decreases, since can(s) and can(s') are in a canonical form and t is not. □ 

Lemma 5.8. A proof containing a peak s ^R^t -^r^ s' is not minimal. 

Proof. We make a case analysis over the positions of the reductions. 
• In the parallel case, the subproof 



P.I , 
s ^ t s 



can be seen as 



s = can{t[r]p[g]^) ^ t[r]p[g]g ^ t[l]p[g]q — >t[l]p[d]q can{t[l]p[d]q) = s'. 

itcan r^l g^d Rc: 



tcan 



The above subproof can be replaced by 

s = can{t[r]p[g]q)^ t[r]p[g]q caii{t[r]p[d]q) ^t[l]p[d]q^^ can{t[l]p[d]q) = s'. 

Hcan g-^d r-k—L He, 



i-can 



The measure strictly decreases, since for the first subproof it is equal to 

and for the second one, it is equal to 

imrUgU, -, -, -, -)^'''\ mr]p[g]q}}, _, _, _, _), 

mwu}, -, -, -), m]pm, -, -)^'''^, 

and both terms t[?']p[(7]q and t[/]p[(i]g are strictly smaller than t = t[l]p[g]q. 

• If g is a strict prefix of p, this means that / — )■ r can be used to collapse the rule g ^ d, 
which is impossible since the strategy is strongly fair, and the application of Collapse 
cannot be infinitely delayed. 

• The case where p is a strict prefix of q is similar. 
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• If p and q are equal, this means that in both reductions, the extended rewriting has been 
used (second case of definition I2.ip . Otherwise, again, one rule could collapse the other. 
This means that I and g have the same AC top function symbol u. When / and g do 
not share a common subterm, the reasoning is similar to the parallel case. Otherwise, if 
they share a common subterm, since the strategy is fair, the head critical pair between 
I — )■ r and g d has been computed. Let the maximal common part between / and 
g, I ii(a^, b), and g u{a'^, b'). The critical pair is u{b', r) « u{b, d). The subterm 
t\p where both reductions occur is of the form u{a^^,u{b,u{b' ,c))) (or u{a'^,u{b,b')) if it 
corresponds exactly to the critical pair). 

The subproof can be replaced by 

s = i — t[u{u{b' , r) , c)]p < — > t[u{u{b, d), c\p — > s' . 

-Rcan u{b' ,r)^u{b,d) -Rcan 

The measure strictly decreases, since for the first subproof it is equal to 

im,-,-,-,-),m, -,-,-,-)}, 

and for the second one, it is equal to 

{{{it[u{u{b' , r), c)]p}, _, _, _, _), it[u{u{b', r),c)]p, t[u{u{b, d),c]p}, _, _, _), 
it[u{uib, d),c]p},., _, _, .)}, 

and both t[u{u{b' , r) , c)]p and t[u{u{b,d),c]p are strictly smaller than t. □ 

Lemma 5.9. A proof containing a peak s ^R^t — >r^i^ s' is not minimal. 

The proof of this lemma is partly made by structural induction over t, and we need an 
auxiliary result in order to study how behave a proof plugged under a context. 

Definition 5.10. Given a context C[»]p, and an elementary proof V, V plugged under 
C[«]p, denoted as C['P]p is defined as follows: 

(1) if V is an equational step s ^la^r C[P]p is C[s]p C'Mpj 

(2) if "P is a rewriting step s — >i^r t, C[V]p is C[s]p — >i^r C[t]p, 

(3) if T' is a rewriting step s ~^i^r C[V]p is either 

C[s]p -^i-^r can(C[t]p) -^r^^ C[t]p if C[t]p is not in a canonical form, 

or 

C[s]p -^i^r caii(C[t]p) otherwise. 

This definition is extended to a proof made of several steps, by plugging elementary 
each step under the context. Notice that if a proof V relates two terms s and t, then C[7-']p 
relates C[s]p and C[t]p. 

Lemma 5.11. Let Vi and V2 be two proofs which do not contain -^r^ nor -^r^. If Vi 
is strictly smaller than (resp. equivalent to) V2, then C[7'i]p is strictly smaller than (resp. 
equivalent to) C[7^2]p- Moreover if V2 is a step s -^i^r t, C[Pi]p is strictly smaller than 

C[s]p -^i^r C[t]p. 

Proof. It is enough to show the wanted result for elementary steps. Let Vi and V2 be two 
elementary steps such that Vi is strictly smaller than V2- 

• If Vi and V2 are -^r^^ steps, they are of the form 

Si y ti 

Rcan 

and the corresponding measures are (|^Si§, 0, ii;can('Sj) + WcaniU), Si,ti). 
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- if Si -<; S2, then C[si]p -< C[s2]p. 

- if si ~ S2, and Wcan(si) + Wcanih) < Wcai,{s2) + ■u'can(*2)- Since Si ~ S2, by the AC- 
totahty of ^, we know that si =ac -'^2, hence Wcanisi) = Wc3.n{s2)- This means that 
Wcanih) = and Wcan{t2) = 1- Hencc ti =ac can(ti), ti ~ can(ii) and t2 ^ac can(i2) 
and can(t2) -< ^2- Since si =ac ^2, can(fi) = can(t2) holds, hence ti -< t2- 

If we look at the plugged proofs, we have C[si]p ~ C[s2]p, WcaiL{C[si]p) = Wcsm{C[s2]p), 
i'^can(C'[*i]p) < U'caiiiC[t2]p) = 1 and C[ti]p -< C[t2]p- The measure is even on the first 
component, and either strictly decreases on the second component, or weakly decreases 
over the four first components, and strictly decreases over the last one. In all cases, 
C[Pi]p is strictly smaller than C[7^2]p- 

- if si ~ S2 and Wcan{si) + Wcanih) = Wcan(s2) + ^^0311(^2), this means that ti -< t2. 
The case Wcan{ti) = Wcan(i2) = is impossible, since this would imply ti ~ can(ti) = 
can(t2) ^ t2. Hence Wcai^ih) = Wca^ih) = 1- 

If we look at the plugged proofs, we have C[si]p ~ C[s2]p, ifcan(C[>si]p) = 'Wcan{C[s2]p), 
u^can(C[ii]p) = u]caiLiC[t2]p) = 1 and C[ii]p -< C[i2]p- The measure is even on the first 
four components, and strictly decreases over the last one. C['Pi]p is strictly smaller than 

C[V2]p. 

ilVi is a ^-step, and V2 is a —^r^^ step, necessarily, the first component strictly decreases. 
The measure of C[Pi]p is 

iiiC[si]p}, 1, t«can(C[siU, h,n), {iC[hU, 0, _, _, 

and the measure of C[P2]p is {{^C[s2]pJ,0, where ti -<; si -<; S2. C['Pi]p is strictly 

smaller than C[P2]p- 

if Vi is a — >_Rcan"Step, and V2 is a step, necessarily, the first component weakly decreases 
and the second component strictly decreases. 

The measure of C['Pi]p is (-8^C[si]p§, 0, _, _, _) which is strictly smaller than the measure 

of C[s2]p ~^/2^r2 C[t2]p, that is |(|C[s2]p J, 1, t(;can(C[s2]p), /2, ^2)5- sinCC Si ^ 52- 

if both Vi and V2 are -^-steps, they are of the form 

Si ^ U, 

and the corresponding measures are (-^^Si^, l,Wcaii{si),li,ri). The measure of C['Pi]p is 
(C[si]p), Zi, n), {iC[h]p}, 0, w,^{C[ti]p), C[h]p, can(C[ti]p))^"'^>} 

and the measure of C[s2]p -^/a^ra C'Np is {iC[s2]p}, 1, tfcan(C[s2]p), ^2, ^2). 
If si -< S2, since ti -< si, C['Pi]p is strictly smaller than C[s2]p ~~^;2-)-r-2 C[t2]p- 
Otherwise, si ~ S2 and si =ac S2- Hence Wcanisi) = Wcaii{s2) and the decrease occurs 

on the last two components. Therefore 

^(^<^[^i]p^, 1, ^can(C[si]p), Zi, n), {iC[h]p}, 0, w,^{C[h]p),C[h]p, can(C[tiy ){°'i>| 
is strictly smaller than 

(fCHpl, 1, U^can(C[s2]p), ^2, ^2). 

When a step is an equational step, necessarily the decrease occurs on the first component. 
Since -< is compatible with plugging terms under a context, hence the wanted result. □ 
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We can now come to the proof of Lemma 15. 91 

Proof. Let us denote by / — t- r the rule of R^^, and g ^ d the rule of -Rcan! since Z is in a 
canonical form (invariant of the completion run), the reduction using g — >■ d can only take 
place at a position q which is above or parallel to the position p of the reduction using 
I ^ r. We prove by induction that there exists a proof between s and s' which is strictly 
smaller than the original peak. 

• In the parallel case, the subproof 

s ^ r — > s 

can be seen as 

can(t[r]p[g]g) ^ t[r]p[g\q ^ t[l]p[g\q t[l]p[d]g. 

-fXcan 1^'^ — t -fLcan 

Notice that and t['^]p[c^]g are equal modulo AC,X, hence have the same canonical 

form. The above subproof can be replaced by 

ca.n{t[r]p[g]g) = ca.n{t[r]p[d]g) <— t[r]p[d]g ^ t[l]p[d]g 

Rcan r^-l 

which is actually 

s ^ s' . 

The measure strictly decreases, since for the first subproof it is equal to 

g(M,l,l,/,r),(M, -,-,-,-)§, 
and for the second one, it is equal to 

with s' ■< t. 

• In the prefix case, we first prove the wanted result when the position q is equal to A. Now 
we make an induction over p, in order the establish that there is a proof between s and 
s', with a measure (weakly) smaller than s ^r-i-it, hence strictly smaller than the global 
measure of the peak. If p = A, rewriting at top with a rule of Ri_j is impossible if it is not 
an extended rewriting, since Z is in a canonical form. In the extended case, the subproof 
to be replaced has the form 

can(ii(r, Z')) ^t— ^s', 

r-f-/ Rcan 

where t =ac and s' = can(u(/, /')). By definition of can and since / is in a 

canonical form and u is an AC symbol, s' is AC-equal to u{l, can(r)). The subproof can 
be replaced by 

can(M(r, /')) = can(u(r, can(Z'))) ^ u{l, can(/')) =ac s' , 

where the identity can(ti(r, can(/'))) = can(n(r, T)) holds since «(r, can(/')) and u{r,l') 
are equal modulo AC, X. The measure strictly decreases, since for the first subproof it is 
equal to 

and for the second one, it is equal to 
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where s' -<; or s' ~ i with Wcanis') = Wcan(i)- 

If p is of the form i -p', t is of the form f{ti, . . . , ti^i,ti, U+i, . . . , tn), and the proof to 
be replaced 

caii(/(ti, . . . , ti[r]p>,. . . , tn)) ^, fih, ti[l]p', . . . , t„) -^^ s'. 

We may assume without loss of generality that ti, . . . , U-i , t^+i , . . . ,tn are in a canonical 
form, since 

s' = can(t) = can(/(can(ti), . . . , can(ti_i), can(ti+i) . . . ,can(t„))) 

and 

can(/(ti, ...,ti[r]p>, ...,tn)) = can(/(can(ti), can(tj_i), t^'^lp', can(tj+i)..., can(t„))). 
We also denote as 

So = fih, . . . ,caoa.{ti[r]p'), . . . ,tn) 

and 

So = fih,..., caja.{ti[l]p'), ...,tn). 

Wc know that can{ti[l]p') ^ tj[Z]p', and we distinguish between two cases. 

- If caxi{ti[l]pi) -< ti[l]pi, then by induction hypothesis, there exists a proof V between 
can(ij[r]p/) and can(ij[l]p/) which is weakly smaller than 

can{ti[r]p>) ^ti[l]p/. 

r^l 

The decreasing is actually strict since an equivalent proof should be in one step, and 
the only possibility is a step of the form 

can{ti[r]p') ^ can(ti[^]p')- 

However since can(ij[l]p/) -< ti[l]p' and u>can(ii[^]p') = Wcanitiiljp') cannot be not simul- 
taneously true, such an equivalent step is not possible. Among all possible proofs V, 
we pick up a minimal one. By the previous lemmas, V does not contains -^r^ steps, 
hence f{ti, . . . ,V, . . . ,tn) is strictly smaller than 

can(so) «^ t. 

r-ir-l 

If we consider the proof V' 

{0,1} /(«!,.. .,P,...,tn) I {0,1} , 
S ^— So i > Sq —f S , 

Rcan Rcan 

all its elementary steps are strictly smaller than [f^tj, 1, 1, /, r). We have seen that this 
is true for the middle part, and also for the left part (f so^, 0, 1, so, s)^^'''^-'^, and the right 

part (K}},0,l,s'o,s'){0'i}. 

V' is a proof between s and s' which is strictly smaller than s '^r^it. 

- If can(tj[Z]p/) ~ ti[l]pi, then by the AC-totality of ^, can(tj[^]p') =AC ti[l]p>. Since 
s' = can(t), we know that s' :<t and we make a case analysis: 

* If s' ~ t then s' is actually ca.HAc{t) which is AC-equal to t. s' contains ti[l]pr as 
a subterm and can be reduced with I — )• r to can(s'[ij['"]p']) which is AC-equal to 
t[ti[r]p']i. Hence can(s'[ti[r]p']) = can(t[tj[r]p']i) = s and the proof 

s ^ s' 

is equivalent to, hence weakly smaller than s ^r-i-l t- 
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* If s' -< t, then we can first see the peak as fohows: 

{0,1} . / /,\ 

We eagerly replace every occurrence of ^ by r in sq and s', getting respectively si and 
s". Then si and s" are equal modulo AC and X, because any proof modulo AC and 
X between t and s' can be replayed by replacing the a-instances of AC and X used 
originally by a'-instances where xa' is xa where every occurrence of I is replaced by 
r. We get the new proof 

{0,1} * , {0,1} , . , {00} , . .^ 

^— So — > Si —4 can[si) = can(s J i — s = can(rj. 



s 

Since s' -< t, all terms in the above proof are strictly smaller than t, hence the measure 

of this proof is strictly smaller than {^t^, 1, l,l,r). 
If the proof occurs under a context t[»]q, we know that there is a proof V between 
s = caii{t[r]g.p') and can(t) which is weakly smaller than {^t[l]q.p'^, 1,1, 1, r) (case 
-4Rc^ at A). Hence 

s ^ can(i) ^— s 
is a proof between s and s' which is weakly smaller than 

imWh 1, 1, 1, r), iis'}, 0, 1, s', can(t)){0'i>:^, 
whereas the measure of the original peak is 

im,l,l,l,r),m,0,2,t,s')}. 

Since s' ^ t, the measure of the new proof is strictly smaller than the measure of the 
original peak. □ 

Theorem 5.12. If s and t are two terms such that 



s i — y s\ 

A.C,y^,Eoo,Roo 

then 

can(s)|^„ = can(t)|^^. 

Proof. If ,s and s' are equal modulo < — ^ac X Eoo -Roo ' can(s) and can(s'). By the 

above lemmas, a minimal proof between can(s) and can(s') is necessary of the form 

can{s){^R^ U ^i?,^)*(--R„U ^R^J*can{s'). 

This sequence of steps can also be seen as 

^an(s) HR^^kJ*(^k^ ^rJ* ^kan ^Ms')- 

By definition -^r^^ cannot follow a -^R^-step, and can(s) and can(s') cannot be reduced 
by -4r^^, hence the wanted result. □ 



20 



S. CONCHON, E. CONTEJEAN, AND M. IGUERNELALA 



5.3. Termination. The proof of termination partly reuses some facts used for the termi- 
nation proof of AC-ground completion (based on Higman's lemma), but also needs some 
intermediate lemmas which are specific to our frameworl^. We shall prove that, under 
a strongly fair strategy, R^^ is finite and obtained in a finite time (by cases on the head 
function symbol of the rule's left-hand side), and then we show that Ri_j will clean up the 
next configurations and the completion process eventually halts on ( | R^^ ). In order to 
make our case analysis on rules, and to prove the needed invariants, we define several sets 
of terms (assuming without loss of generality that Eq = can(£'o)): 

To = {t [ 3to, 61,62 e Ts{X),ei 62 € £'o and to = ei\p and to t}, 
Tqx = To U {/x(ti, . . . , tn) I /x G Sx and V«, ti G Tox}, 
Ti = {t\t eTo and Vp, t|p G Tox}, 

T2 = {u(ti, . . . ,tn) I 2 < n and u G Sac and Vi, ti G Ti}. 

To is the set of all terms and subterms in the original problem as well as their reducts by 
Roo- The set Tqx moreover contains terms with X-aliens in Tq. Ti is the set of terms that 
can be introduced by X from terms of Tq (by solving or canonizing). T2 is a superset of the 
terms built by critical pairs. 

Lemma 5.13. V7,t,s, 7 G i?oo n Tf A t G T^ A t s =^ s e Ti, for i,j = 1,2. □ 

The proof is by structural induction over terms (for dealing with rewriting under a 
context) and by case analysis over Tj when rewriting at the top level. It uses the (quasi- 
immediate) fact that To n T2 C Ti . 

Lemma 5.14. For all accessible configuration ( En \ Rn ), En U Rn Q T^ U T^ . 
The proof is by induction over n, and uses Lemma 15.131 

The first step of the termination proof is to show that R^j H T^ is finite (Lemma I5.17p . 
It is specific to our framework, due to the presence of xQ. 

Lemma 5.15. Under a strongly fair strategy, if I — ?> r„ is created at step n in Rn and 
I ^ CLt step m in R^, with n < m, then r^ is a reduct of rn by -^r^- 

Proof. The proof is by induction over the length of the derivation, and by case analysis over 
the rule which has been applied. 

• Orient applied on s = t cannot create a new rule p ^ v with an already present left hand 
side, because the strongly fair strategy implies that s and t are fully reduced, and the 
new left hand side p is a subterm of s or t. 

• Simplify, Collapse and Deduce do not create a new rule. 

• Compose obviously preserves the invariant. □ 

Corollary 5.16. Under a strongly fair strategy, Roc is finitely branching. 

Proof. If Roo is not finitely branching, there exist an infinite sequence of rules {I — )• rn)n 
where I — > r„ first appears in ( En \ Rn )• Thanks to Lemma 15.151 since -Roo is included in 
-<, the sequence (r„)„ is strictly decreasing w.r.t ^. The well-foundedness of -< contradicts 
the infinity of (r„)n- □ 

^We assume that 1. is not encountered, otherwise, termination is obvious. 

'^X may change the head function symbol of terms in an equational proof, which is not the case of AC in 
standard ground AC-compIetion. 
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Lemma 5.17. Under a strongly fair strategy, the set of rules in TZu) fl is finite. 

Proof. If Z — )• r belongs to the set TZ^ H T^^, / is reduct of a term Iq in £"0 by --^r^. Since 
"^-Roo is terminating (because it is included in -<), and finitely branching (above corollary), 
any term has finitely many reducts by "^r^. In particular since £^0 is finite, there are 
finitely many possible left-hand side. Moreover since in two distinct rules have distinct 
left-hand sides, TZ^j fl is finite. □ 

Here is the second step of the termination proof, finiteness of Ruj fl , which is mostly 
the same as in the usual AC-ground completion: 

Lemma 5.18. The set of persistent rules in 7^^ which are in T| is finite. 

Proof. The set Ru, n T2 can be divided into a finite union of sets, according to the top AC 
function symbol of the left hand-side of the rules. We shall prove that for each u G '^ac^ 
the corresponding subset is finite. 

Let n be a fixed AC function symbol, and let n(/i, . . . , Z„) ^ r be a rule of R^^ n 
By definition of T2, and by the soundness of i?oo) each /j is equal modulo ACX,Eq to a 
term in Eq. Since /j is irreducible by R^^ (otherwise the rule u{li, . . . , l„) — >■ r would have 
collapsed), there is a rewriting proof k ^*ji^li. Notice that two distinct rules in i?^ have 
some distinct left-hand sides (otherwise one would have collapsed the other) (this implies in 
particular that R^j is finitely branching). Since -^r^ is included in a well-founded ordering, 
and is finitely branching any term has a finite number of reducts. Since Eq is finite, each /j 
belongs to the finite set of reducts Red{EQ) of Eq by '^r^. By Higman's lemma, if there 
is an infinite number of rules where the left-hand side is of the form n(ti, . . . ,tn), there 
exist two rules / — )■ r and /' — )• r', such that the multiset of arguments -^^i, . . . ,ln^ of / is 
included in the multiset of arguments ^l'^, . . . , Z^ J of I'. This would imply that the second 
rule collapses by the first one, which contradicts its persistence. Hence the wanted result. □ 

When Ri^ has been proven to be finite, we show that once it is obtained, R^j will "clean 
up" the configuration within a finite number of steps, hence the termination: 

Theorem 5.19. Under a strongly fair strategy, AC(X) terminates. 

Proof. When the strategy is strongly fair, Ri^ is finite. Moreover each rule in i?^^ is obtained 
within a finite number of steps. Once all persistent rules are present in the rules of the 
configuration { E \ R ), the rule Orient always returns an empty set of rules. If the 
measure of a configuration is the triple made of the number of remaining critical pairs to 
generate, the multiset of terms in R (compared with ~<), and the number of equations on 
E, it strictly decreases. □ 



6. Term Abstraction and Multiset Ordering 

In this section, we show that a simple preprocessing step allows us to use a partial multiset 
ordering instead of a full AC-compatible reduction ordering in the AC(X) algorithm. This 
optimization is motivated by the fact that although AC-RPO orderings are suitable when 
proving termination of completion procedures, they are not easily implementable in prac- 
tice. Our preprocessing step is similar to the Extension inference rule found in Abstract 
Congruence Closure [BTV03] . 

Let K he a set of constant symbols disjoint from S and X and be a total rewrite 
ordering on T(Sx U K). We define two sets of terms 70 and Tac as follows: 
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arity{f) = n A 

Ar=i^.Gr(SxUK) 



Tac 



u{vi,u{v2, . . .,u{Vn-l,Vn) ■ ■ •)) 



u G Eac a 
n > 2 A 

In order to enable the use of a multiset ordering as an input for AC(X), we have to 
transform the original set of ground equations E to a. simpler one containing only abstracted 
equations. 

Definition 6.1 (Abstracted equations). An equation s ~ t is said to be abstracted if one 
of the following statements holds: 

1. s, te Ti^x^K), 

2. sG (To U Tag) and tGr(Sx UK), 

3. s, t€ Tac and s(A) = t(A). 
The set of all abstracted equations is denoted by A. 

Let vr be an abstraction function from Tac U 70 to X such that if 7r(s) = 7r(t) then 
s =AC,x i- Given a set of ground equations, the term abstraction of E^ consists in apply- 
ing, as long as possible, the following inference rules starting from the initial configuration 
( I ). 



AbSTRACTl 



AbSTRACT2 



{E\S{s^t}\Ej^) 
{E\Ej^U{s^t}) 

E\JC[f{v)]^t\ E^ 



t e A 



{EyjC[k\^t\ EAU{f{v) 
where, 



k}) 



C[f{v)]^t<^A 



Propositions 15.21 and 
abstraction process. 



1. f{v)e{%uTAc) 

2. k = TT{f{v)) 

state, respectively, the termination and the correctness of the 



Proposition 6.2. The application of the rules Abstractl and Abstract2 terminates and 
produces a configuration of the form { | E^ ), where E"^ C A. 

Proof. The proof of termination is immediate using a decreasing measure. The size of a 
configuration is equal to the total sum of the sizes of the terms in its first component. Here, 
the size of a term is recursively defined in a standard way with 1 for the size of constants 
in K, and 2 for the size of other constants. 
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It remains to show that if a configuration is of the form ( E \ Eji^ ) and E ^ ^, a,t 
least one rule applies. Let s f« t be an equation in If s f» t G ^ the Abstractl applies. 
Otherwise, since s ~ t by condition 1. of Definition 16.11 there is a minimal subterm 
of s or t which does not belong to ^(Sx U K). This term thus has a suitable form to fulfill 
condition 1. in the rule Abstract2 which applies. □ 

Proposition 6.3. Let ( E^ \ ) ( | E'^ ) he a fixed run of the abstraction process. 
For any terms s,t (z T(S,0), we have: 

S =EO,X,AC * ^^=^ S =E^,X,AC t- 

Proof. The direction =^ is immediate for Abstractl. For Abstract2, it rests on the fact 
that a step using C[f{v)] ^ t can be replaced by two steps, the first one using f{v) « k and 
the second one using C[k] « t. 

In order to prove <^=, we use the following invariant: { E \ Ej\^ ) ^ { E' \ E'_^ ), 
s = E' ,E'_^,x,AC ^ ^-i^d s and t do not contain any constant in K, then s =e,Ej,,XAC t- This 
is immediate when the rule Abstractl is applied. When Abstract2 replaces C[f{v)] ~ t by 
{f{v) k,C[k] ^ t}, we first replace every step using C[k] t hy a compound step using 
C[k] « C[f{v)] followed by C[f{v)] fa t. Then all occurrences of k are replaced by f{v) in 
intermediate terms, and the now useless steps using f{v) ~ /(iT) (former f{v) ~ A;) are 
removed. The transformed proof is now in =e,e^,XACj since neither s nor t contain 
constants in K, they are not affected by these transformations. □ 

Now that we have shown how to abstract the initial set of equations E, we will define 
the reduction ordering -< that we will use in AC(X). We do not need this ordering to be total 
on the terms in T(Sx U K, 0) U 70 U Tac- We only need a partial reduction ordering which 
allows us to get well oriented rewriting rules from the abstracted equations. Let -<™^'^* be 
the multiset extension of ^x- Our reduction ordering is defined by: 

1. yVi,V2 G T(Sx U K), Vl ^x V2 => Vl -< V2, 

2. r(Sx UK)^ Te, 

3. r(Sx UK)^ Tac, 

4. yu{vi),u{v2) G Tac, {vi} iM =^ < ^(^2). 

After that, we have to show that AC(X) does not introduce non-abstracted equations when 
collapsing rules, computing critical pairs, using canonized rewriting, and solving equations. 
Hence, the following lemma: 

Lemma 6.4. For any configuration ( E"^ \ Rn ) reachable from { E^ \ ), we have: 

y{s,t) e (E^URn), s^teA. 

Proof. The lemma obviously holds for the initial state. For the induction step, we can 
easily show that the abstracted form of equations is preserved by canonized rewriting wrt 
an abstracted rule, hence so as when applying the inference rules Simplify, Compose and 
Collapse. Concerning Deduce, we notice by inspecting the definition of headCP, that when 
/ — >■ r and r' are abstracted oriented equations, so is the resulting critical pair. The 
only subtle case is Orient, in particular when solving an equation s t, with s G T{T,xUK) 
and t G 70 U Tac- Due to the definition of -< and to the fact that the solver has to fulfill 
the ordering constraints stated in Axiom [3^ the solution of s « t has to be t >-)• s. □ 
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Finally, we notice that ^ is a suitable ordering for the AC(X) completion procedure 
since on the equations in A, it coincides with the AC-RPO ordering based on a precedence 
■<p such that Sx K ^pT,£U T,ac- 

7. Experimental Results 

We implemented the AC(X) algorithm as well as a preprocessing step that enables the use 
of a partial multiset reduction ordering (see Section [6]). As described in Section IH the state 
of the procedure is a pair { E \ R) of equations and rules. We apply the following strategy 
for processing an equality u ^ v G E: 

Sim* (Tri | Bot | (Ori (Com Col Ded)*)). 

First, n ~ f is simplified as much as possible by Simplify. Then, if it is not proven to be 
trivially solved by Trivial or unsolvable by Bottom, it is solved by Orient. Each resulting 
rule is added to R and then used to Compose and Collapse the other rules of R. Critical 
pairs are then computed by Deduce. 

We benchmark AC(X) and compare its performances with our own SMT solver Alt- 
Ergo |CC08) and some state-of-the-art solvers (Z3 v2.8, CVC3 v2.2, Simplify vl.5.4). 
All measures are obtained on a laptop running Linux equipped with a 2.58GHz dual-core 
Intel processor and with AGb main memory. Provers are given a time limit of five minutes 
for each test and memory limitation is managed by the system. The results are given in 
seconds; we write TO for timeout and OM for out of memory. 

Our test suite is made of crafted ground formulas which are valid in the combination 
of the theory of linear arithmetic LA, the free theory of equality £ and a small part of the 
theory of sets defined by the symbols U, C, the singleton constructor {•}, and the following 
axioms: 



Assoc : 


\/x,y,z. 


X U (y U 


z) (x U y) U z 


Commut : 


Vx,y. 


xL) y 


y U X 


SubTrans : 


Vx,y,z. 


X Cy 


A y C z =^ X C 


SubSuper : 


Vx,y,z. 


X Cy 


=> X C y U z 


SubUnion : 


yx,y,z. 


X Cy 


=> xUzCyUz 


SubRefl : 


Vx. 


X C X 





The theories £ and LA are built-in for all SMT solvers we use for our experiments. However, 
contrarily to AC(X) which also natively handles associativity and commutativity, SMT 
solvers use a generic mechanism for instantiating the axioms Su to reason modulo the 
AC properties of U. 

In order to get the most accurate information about AC(X), we first benchmark a stand- 
alone version of our algorithm on ground formulas that can be proved without Sc- In a 
second step, we consider ground formulas that are only provable with some axioms in ^Sc- 
Since these axioms are not directly handled by AC(X), we benchmark a modified version 
of Alt-Ergo (to benefit from its instantiation mechanism) with AC(X) as its core decision 
procedure. 
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In the following, we use the standard mathematical notation IJi=i terms of 

the form ai U (02 U (■ ■ ■ U a^)) • • • ) and we write IJiLi ^i'l ^ ^or terms of the form ai U (02 U 
(•••U(a,U6)))---). 

7.1. Benchmark of a stand-alone AC(X). We consider two categories of formulas. The 
first category Ci is of the form 

A;=i({e} u uti O^v^ =^ AU A^=p+i Ul, w « U.U ^ > 

^ V ' 

G 

and the second category C2 is of the form 

A;=i({ip - P} U Uti « A A;=i' + 1 « =^ G. 

Notice that n is the number of hypothesis equations and d is the maximal depth of AC 
terms. 

Proving the validity of Ci-formulas only requires the theory £ and the AC properties 
of the union symbol. These formulas are directly provable by AC(0) and the results for this 
instance are given in the first column of the table in Figure O In order to prove Ci -formulas 
with SMT solvers, the axioms in S\j have to be put in their context. The last four columns 
of the table contain the results for Alt-Ergo, Z3, CVC3 and Simplify. 



n, d 


AC(0) 


Alt-Ergo 


Z3 


CVC3 


Simplify 


3, 3 


0.01 


0.19 


0.22 


0.40 


0.18 


3, 6 


0.01 


32.2 


OM 


132 


OM 


3, 12 


0.01 


TO 


OM 


OM 


OM 


6, 3 


0.01 


11.2 


1.10 


13.2 


2.20 


6, 6 


0.02 


TO 


OM 


OM 


OM 


6, 12 


0.02 


TO 


OM 


OM 


OM 


12, 3 


0.16 


TO 


5.64 


242 


11.5 


12, 6 


0.24 


TO 


OM 


OM 


OM 


12, 12 


0.44 


TO 


OM 


OM 


OM 



Figure 5: The results for category Ci. 



In order to prove the validity of C2-formulas, the theory the AC properties of U 
and the theory of linear arithmetic LA are required. These ground formulas are directly 
provable by AC(LA) and the results are given in the first column of the table in Figure [6j 
Similarly to category Ci, the last four columns of the table contain the results for the SMT 
solvers we considered. Again, the axioms Syj have to be provided in the context, whereas 
linear arithmetic is directly handled by the built-in decision procedures of these provers. 
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n, d 


AC(LA) 


Alt-Ergo 


Z3 


CVC3 


Simplify 


3, 3 


0.01 


1.10 


0.03 


0.11 


0.19 


3, 6 


0.01 


TO 


3.67 


4.21 


OM 


3, 12 


0.01 


TO 


OM 


OM 


OM 


6, 3 


0.02 


149 


0.10 


2.26 


2.22 


6, 6 


0.02 


TO 


17.7 


99.3 


OM 


6, 12 


0.04 


TO 


OM 


OM 


OM 


12, 3 


0.27 


TO 


0.35 


44.5 


11.2 


12, 6 


0.40 


TO 


76.7 


TO 


OM 


12, 12 


0.72 


TO 


OM 


OM 


OM 



Figure 6: The results for category C2. 



7.2. Benchmark of Alt-Ergo with X. We now analyze the performances of AC(X) 
when it is used as the core decision procedure of Alt-Ergo. For that, we consider a third 
category C3 of formulas of the form 

A,"=i Utile?} « A Utile + e^}^cPAe^O ^ Ap=i C {If u {e^}) U {e}. 

Proving the validity of Ca-formulas requires the theory £, the AC properties of U, the 
theory of linear arithmetic LA and additionally some axioms in 5c • We thus only provide 
the axioms 5c in the context of the modified version of Alt-Ergo, whereas all the axioms 
in 5c and 5u are given in the context of the other SMT solvers. The results of this category 
are given in Figure [71 



n, d 


Alt-Ergo 
with AC(LA) 


Alt-Ergo 


Z3 


CVC3 


Simplify 


3, 3 


0.02 


3.16 


0.09 


10.2 


OM 


3, 6 


0.04 


TO 


60.6 


OM 


OM 


3, 12 


0.12 


TO 


OM 


OM 


OM 


6, 3 


0.07 


188 


0.18 


179 


OM 


6, 6 


0.12 


TO 


TO 


OM 


OM 


6, 12 


0.66 


TO 


OM 


OM 


OM 


12, 3 


0.20 


TO 


0.58 


OM 


OM 


12, 6 


0.43 


TO 


TO 


OM 


OM 


12, 12 


1.90 


TO 


OM 


OM 


OM 



Figure 7: The results for category C3. 



7.3. Benchmarks analysis. The results in Figures [5] and [6] show that, contrary to the 
axiomatic approach, built-in AC reasoning is little sensitive to the depth d of terms: given 
a fixed number n of equations, the running time is proportional to d. However, we notice a 
slowdown when n increases. This is due to the fact that AC(X) has to process a quadratic 
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number of critical pairs generated from the equations in the hypothesis. From Figure [71 
we remark that Alt-Ergo with AC(X) performs better than the other provers. The main 
reason is that its instantiation mechanism is not spoiled by the huge number of intermediate 
terms the other provers generate when they instantiate the AC axioms. 

8. Instantiation Issues 

Although AC(X) is effective on ground formulas, its integration as the core decision proce- 
dure of Alt-Ergo suffers from a bad interaction between the built-in treatment of AC and 
the axiom instantiation mechanism of Alt- Ergo which is roughly done as follows: 

• each axiom of the form Vx. J^{x) provided in the context comes with a pattern P (also 
called trigger) which consists of a set of subterms of J- that covers x, 

• the solver maintains a set G of known terms extracted syntactically from the ground 
literals that occur during its proof search, 

• G is partitioned into a set of equivalence classes according to the ground equalities cur- 
rently known by the solver, 

• new ground formulas J-a are generated by matching P against G modulo the equivalence 
classes. 

Let us show how this mechanism is used to prove the following ground formula: 

(Fi) {e^dUa A h d A c^aVJd) bUa(lc. 

For that, we only need to use the SubUnion axiom (defined in Section [7]): 

SubUnion: yx,y,z.xCy =^ xUzCyUz. 

Let us assume that the pattern for this axiom is the term x L) z y L) z. This pattern is 
matched against the term 6 U a C c by looking for a substitution a such that 

(x U z C y U z)a = 6 U a C c 

modulo the set of equivalence classes 

{{e,dUa,aUd,c}, {a}, {b}, {d}, {bUa}, {b C d}, {bUaCc}}. 

Such a substitution exists and maps x to b, z to a and y to d since the term c is in the same 
class as dU a. The proof of Fi follows from the ground instance 6C(i=>6UaC(iUaof 
SubUnion. 

Let us now explain the limitation of the interaction between AC(X) and the instantiation 
mechanism. The hypothesis e ~ d U a is useless (from a logical point of view) to prove 
6 U a C c. Hence, the following formula F2 is equivalent to Fi: 

(F2) {bed A c^aUd) 6UaCc. 

However, the cooperation of Alt-Ergo and AC(X) fails to prove F2. The reason is that, 
since the term dU a does not syntactically occur in F2, the equivalence classes are just 

{{aUd,c}, {a}, {b}, {d}, {bUa}, {b<^d}, {feUaCc}} 

and the matching algorithm fails to match x U z Q y U z against 6 U a C c. 
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9. Conclusion 

We have presented a new algorithm AC(X) which efficiently combines, in the ground case, 
the AC theory with a Shostak theory X and the free theory of equality. Our combination 
consists in a tight embedding of the canonizer and the solver for X in ground AC-completion. 
The integration of the canonizer relies on a new rewriting relation, reminiscent to normalized 
rewriting, which interleaves canonization and rewriting rules. We proved the soundness of 
AC(X) by reusing standard proof techniques. Completeness is established thanks to a proofs' 
reduction argument, and termination follows the lines of the proof of ground AC-completion 
where the finitely branching result is adapted to account for the theory X. We showed how 
a simple preprocessing step allows us to get rid of a full AC-compatible reduction ordering, 
and to simply use a partial multiset extension of a non necessarily AC-compatible ordering. 

AC(X) has been implemented in the Alt-Ergo theorem prover. The first experiments 
are very promising and show that a built-in treatment of AC, in the combination of the free 
theory of equality and a Shostak theory, is more efficient than an axiomatic approach for 
reasoning modulo AC. 

As illustrated in Section[8l the main concern for using AC(X) as a core decision procedure 
in Alt-Ergo is that it does not saturate equivalent classes of ground known terms modulo 
AC. A naive (and incomplete) solution to this issue would consist in adding, for each known 
ground AC-term t, a few number of AC equivalent terms (for instance by bounding the 
length of the AC equational proof between them). We rather plan to investigate a more 
elaborate solution which would consist in extending the pattern-matching algorithm of 
Alt-Ergo to exploit both ground equalities and properties of AC symbols. We also plan 
to extend AC(X) to handle the AC theory with unit or idempotence. This will be a first step 
towards a decision procedure for a substantial part of the finite sets theory. Another future 
work is the extension of AC(X) with a user defined first order rewriting system. This could 
be achieved by applying our combination technique to normalized rewriting and normalized 
completion jMar96] . 
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